1. The Field of the Invention
The present invention relates to the field of network security. Specifically, the present invention relates to methods, systems, and computer program products for authorizing a requesting entity to operate upon data structures in a standard manner that is at least partly independent of the type of underlying data structure being operated upon.
2. Background and Related Art
The success of the information age is widely attributed to the ability to efficiently access data. Data comes in a wide, almost unlimited, variety of different data types. For example, there may be data types corresponding to calendar information, task information, in-box information, word processing documents presence information, favorite web site information, or a host of other different types of information. Often, it is desirable to control who has what kind of access to what kind of data. For example, a user or application might have read/write privileges over a small group of files, while having read-only privileges over another group of files.
Conventionally, this was accomplished by using an Access Control List or ACL associated with each file or directory in a hierarchical directory tree structure. Typically, access control rights for a particular directory are inherited by any descendent directories or files unless expressly overwritten by an access control list at the descendent directory or file. When a request comes in to perform an operation on a particular target file or directory, the total access control for that request is defined by any access rights inherited as well as the express enumeration of access rights indicated in the corresponding access control list for the target file or directory. If appropriate for the total access control permissions corresponding to the target file or directory, the request is then processed.
The use of access control lists thus allows for access control at the granularity of a file or directory. However, often certain parts of a file may be more sensitive than others. Regardless, the conventional use of access control lists provides the same level of access to all parts of a file. In other words, conventional access control lists do not provide for granular access control below the file level. Accordingly, what is desired are methods, systems, and computer program products for providing more refined granular access control than the directory or file level.
In addition, conventional access control lists grant the same level of access regardless of the way the user or application was authenticated. However, there are often a wide variety of authorization methods available, each offering a different level of confidence that a user or application requesting operation is indeed who it purports to be. It may not be appropriate to grant the same level of access to a user or application who used a relatively low security authentication method such as the simple assertion method as compared to a user or application that used a relatively high level of authentication. After all, it would be fairly easy for an imposter to simply assert that they were a particular authorized user or application. Accordingly, what is further desired are methods, systems, and computer program product for granting appropriate access privileges based on authentication credentials.